T1443: backport the HTTP API to crux.

Implementation by Daniil Baturin and John Estabrook.

3 files changed, 427 insertions, 0 deletions

diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py
new file mode 100755
index 000000000..1f91ac582
--- /dev/null
+++ b/src/conf_mode/http-api.py
@@ -0,0 +1,98 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import sys
+import os
+import subprocess
+import json
+
+import vyos.defaults
+from vyos.config import Config
+from vyos import ConfigError
+
+config_file = '/etc/vyos/http-api.conf'
+
+vyos_conf_scripts_dir=vyos.defaults.directories['conf_mode']
+
+# XXX: this model will need to be extended for tag nodes
+dependencies = [
+    'https.py',
+]
+
+def get_config():
+    http_api = vyos.defaults.api_data
+
+    conf = Config()
+    if not conf.exists('service https api'):
+        return None
+    else:
+        conf.set_level('service https api')
+
+    if conf.exists('strict'):
+        http_api['strict'] = 'true'
+
+    if conf.exists('debug'):
+        http_api['debug'] = 'true'
+
+    if conf.exists('port'):
+        port = conf.return_value('port')
+        http_api['port'] = port
+
+    if conf.exists('keys'):
+        for name in conf.list_nodes('keys id'):
+            if conf.exists('keys id {0} key'.format(name)):
+                key = conf.return_value('keys id {0} key'.format(name))
+                new_key = { 'id': name, 'key': key }
+                http_api['api_keys'].append(new_key)
+
+    return http_api
+
+def verify(http_api):
+    return None
+
+def generate(http_api):
+    if http_api is None:
+        return None
+
+    with open(config_file, 'w') as f:
+        json.dump(http_api, f, indent=2)
+
+    return None
+
+def apply(http_api):
+    if http_api is not None:
+        os.system('sudo systemctl restart vyos-http-api.service')
+    else:
+        os.system('sudo systemctl stop vyos-http-api.service')
+
+    for dep in dependencies:
+        cmd = '{0}/{1}'.format(vyos_conf_scripts_dir, dep)
+        try:
+            subprocess.check_call(cmd, shell=True)
+        except subprocess.CalledProcessError as err:
+            raise ConfigError("{}.".format(err))
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        sys.exit(1)
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
new file mode 100755
index 000000000..d5aa1f5b3
--- /dev/null
+++ b/src/conf_mode/https.py
@@ -0,0 +1,186 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import sys
+import os
+
+import jinja2
+
+import vyos.defaults
+from vyos.config import Config
+from vyos import ConfigError
+
+config_file = '/etc/nginx/sites-available/default'
+
+# Please be careful if you edit the template.
+config_tmpl = """
+
+### Autogenerated by http-api.py ###
+# Default server configuration
+#
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+        server_name _;
+        return 302 https://$server_name$request_uri;
+}
+
+{% for addr, names in listen_addresses.items() %}
+server {
+
+        # SSL configuration
+        #
+{% if addr == '*' %}
+        listen 443 ssl default_server;
+        listen [::]:443 ssl default_server;
+{% else %}
+        listen {{ addr }}:443 ssl;
+{% endif %}
+
+{% for name in names %}
+        server_name {{ name }};
+{% endfor %}
+
+{% if vyos_cert %}
+        include {{ vyos_cert.conf }};
+{% else %}
+        #
+        # Self signed certs generated by the ssl-cert package
+        # Don't use them in a production server!
+        #
+        include snippets/snakeoil.conf;
+{% endif %}
+
+        # proxy settings for HTTP API, if enabled; 503, if not
+        location ~ /(retrieve|configure) {
+{% if api %}
+                proxy_pass http://localhost:{{ api.port }};
+                proxy_buffering off;
+{% else %}
+                return 503;
+{% endif %}
+        }
+
+        error_page 501 502 503 =200 @50*_json;
+
+        location @50*_json {
+                default_type application/json;
+                return 200 '{"error": "Start service in configuration mode: set service https api"}';
+        }
+
+}
+{% else %}
+server {
+        # SSL configuration
+        #
+        listen 443 ssl default_server;
+        listen [::]:443 ssl default_server;
+
+        server_name _;
+
+{% if vyos_cert %}
+        include {{ vyos_cert.conf }};
+{% else %}
+        #
+        # Self signed certs generated by the ssl-cert package
+        # Don't use them in a production server!
+        #
+        include snippets/snakeoil.conf;
+{% endif %}
+
+        # proxy settings for HTTP API, if enabled; 503, if not
+        location ~ /(retrieve|configure) {
+{% if api %}
+                proxy_pass http://localhost:{{ api.port }};
+                proxy_buffering off;
+{% else %}
+                return 503;
+{% endif %}
+        }
+
+        error_page 501 502 503 =200 @50*_json;
+
+        location @50*_json {
+                default_type application/json;
+                return 200 '{"error": "Start service in configuration mode: set service https api"}';
+        }
+
+}
+
+{% endfor %}
+"""
+
+def get_config():
+    https = vyos.defaults.https_data
+    conf = Config()
+    if not conf.exists('service https'):
+        return None
+    else:
+        conf.set_level('service https')
+
+    if conf.exists('listen-addresses'):
+        addrs = {}
+        for addr in conf.list_nodes('listen-addresses'):
+            addrs[addr] = ['_']
+            if conf.exists('listen-addresses {0} server-names'.format(addr)):
+                names = conf.return_values('listen-addresses {0} server-names'.format(addr))
+                addrs[addr] = names[:]
+        https['listen_addresses'] = addrs
+
+    if conf.exists('certificates'):
+        if conf.exists('certificates system-generated-certificate'):
+            https['vyos_cert'] = vyos.defaults.vyos_cert_data
+
+    if conf.exists('api'):
+        https['api'] = vyos.defaults.api_data
+
+    if conf.exists('api port'):
+        port = conf.return_value('api port')
+        https['api']['port'] = port
+
+    return https
+
+def verify(https):
+    return None
+
+def generate(https):
+    if https is None:
+        return None
+
+    tmpl = jinja2.Template(config_tmpl, trim_blocks=True)
+    config_text = tmpl.render(https)
+    with open(config_file, 'w') as f:
+        f.write(config_text)
+
+    return None
+
+def apply(https):
+    if https is not None:
+        os.system('sudo systemctl restart nginx.service')
+    else:
+        os.system('sudo systemctl stop nginx.service')
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        sys.exit(1)
diff --git a/src/conf_mode/vyos_cert.py b/src/conf_mode/vyos_cert.py
new file mode 100755
index 000000000..4a44573ca
--- /dev/null
+++ b/src/conf_mode/vyos_cert.py
@@ -0,0 +1,143 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import sys
+import os
+import subprocess
+import tempfile
+import pathlib
+import ssl
+
+import vyos.defaults
+from vyos.config import Config
+from vyos import ConfigError
+
+vyos_conf_scripts_dir = vyos.defaults.directories['conf_mode']
+
+# XXX: this model will need to be extended for tag nodes
+dependencies = [
+    'https.py',
+]
+
+def status_self_signed(cert_data):
+# check existence and expiration date
+    path = pathlib.Path(cert_data['conf'])
+    if not path.is_file():
+        return False
+    path = pathlib.Path(cert_data['crt'])
+    if not path.is_file():
+        return False
+    path = pathlib.Path(cert_data['key'])
+    if not path.is_file():
+        return False
+
+    # check if certificate is 1/2 past lifetime, with openssl -checkend
+    end_days = int(cert_data['lifetime'])
+    end_seconds = int(0.5*60*60*24*end_days)
+    checkend_cmd = ('openssl x509 -checkend {end} -noout -in {crt}'
+                    ''.format(end=end_seconds, **cert_data))
+    try:
+        subprocess.check_call(checkend_cmd, shell=True)
+        return True
+    except subprocess.CalledProcessError as err:
+        if err.returncode == 1:
+            return False
+        else:
+            print("Called process error: {}.".format(err))
+
+def generate_self_signed(cert_data):
+    san_config = None
+
+    if ssl.OPENSSL_VERSION_INFO < (1, 1, 1, 0, 0):
+        san_config = tempfile.NamedTemporaryFile()
+        with open(san_config.name, 'w') as fd:
+            fd.write('[req]\n')
+            fd.write('distinguished_name=req\n')
+            fd.write('[san]\n')
+            fd.write('subjectAltName=DNS:vyos\n')
+
+        openssl_req_cmd = ('openssl req -x509 -nodes -days {lifetime} '
+                           '-newkey rsa:4096 -keyout {key} -out {crt} '
+                           '-subj "/O=Sentrium/OU=VyOS/CN=vyos" '
+                           '-extensions san -config {san_conf}'
+                           ''.format(san_conf=san_config.name,
+                                     **cert_data))
+
+    else:
+        openssl_req_cmd = ('openssl req -x509 -nodes -days {lifetime} '
+                           '-newkey rsa:4096 -keyout {key} -out {crt} '
+                           '-subj "/O=Sentrium/OU=VyOS/CN=vyos" '
+                           '-addext "subjectAltName=DNS:vyos"'
+                           ''.format(**cert_data))
+
+    try:
+        subprocess.check_call(openssl_req_cmd, shell=True)
+    except subprocess.CalledProcessError as err:
+        print("Called process error: {}.".format(err))
+
+    os.chmod('{key}'.format(**cert_data), 0o400)
+
+    with open('{conf}'.format(**cert_data), 'w') as f:
+        f.write('ssl_certificate {crt};\n'.format(**cert_data))
+        f.write('ssl_certificate_key {key};\n'.format(**cert_data))
+
+    if san_config:
+        san_config.close()
+
+def get_config():
+    vyos_cert = vyos.defaults.vyos_cert_data
+
+    conf = Config()
+    if not conf.exists('service https certificates system-generated-certificate'):
+        return None
+    else:
+        conf.set_level('service https certificates system-generated-certificate')
+
+    if conf.exists('lifetime'):
+        lifetime = conf.return_value('lifetime')
+        vyos_cert['lifetime'] = lifetime
+
+    return vyos_cert
+
+def verify(vyos_cert):
+    return None
+
+def generate(vyos_cert):
+    if vyos_cert is None:
+        return None
+
+    if not status_self_signed(vyos_cert):
+        generate_self_signed(vyos_cert)
+
+def apply(vyos_cert):
+    for dep in dependencies:
+        cmd = '{0}/{1}'.format(vyos_conf_scripts_dir, dep)
+        try:
+            subprocess.check_call(cmd, shell=True)
+        except subprocess.CalledProcessError as err:
+            raise ConfigError("{}.".format(err))
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        sys.exit(1)